Apple iOS7 Management vs. MDM

One of the many contrasts between Microsoft and Apple over the years has been their respective relationships toward the enterprise. To oversimplify for dramatic effect, Microsoft has long embraced the enterprise customer while seemingly being ambivalent toward the consumer market. The yin to Microsoft's yang, Apple has fully embraced consumers while acting a bit prickly toward enterprises.

But this is beginning to change. Thanks to the popularity of mobile devices like the iPhone and iPad, combined with increasing adoption of enterprise BYOD, Apple and the enterprise are moving ever closer.

Mobile Deployment Gets Schooled

The Los Angeles United School District recently launched a program to roll out tens of thousands of iPads to high school students. Unfortunately, the project made the news not for its scope but for its scandal.

In short, the iPads were configured to limit user access to installing unauthorized apps and accessing websites outside of a school-approved whitelist. But within days, at least hundreds of students had "liberated" their iPads from the security restrictions, presumably converting them from educational devices to taxpayer-funded personal playthings. What went wrong?

Although not a private enterprise, the school district’s large deployment shares an enterprise-like scale. As such, the LAUSD looked at the iPad rollout from an enterprise perspective. They distributed the iPads configured with AirWatch, a popular MDM (mobile device management) platform. But savvy students found they could simply uninstall the AirWatch MDM profile from their devices. Doing so effectively removed the district’s ability to manage the devices remotely, impose app restrictions and control the Apple Global HTTP Proxy web filter.

Third-party MDM solutions like AirWatch and MobileIron – among many others – are not designed to hard-lock devices. In their natural habitat – that is, the corporate enterprise – users who remove MDM profiles simply lose access to corporate assets. At worse, there may be written policies that enforce MDM usage, which could potentially cost non-compliant employees their jobs.

There are no equally powerful disincentives in a high school environment. Kids will be kids, as they say. In short, traditional MDM is not a sticky enough solution for a school environment.

iOS 7 Adds MDM Lite

Given the proliferation of third-party MDM, Apple has read the tea leaves and bulked up iOS7’s MDM-like features. Organizations now have more power to manage and restrict iOS7 devices without third-party tools. Some highlights include:

Enterprise Single Sign-on: Allows devices which are connected behind the company firewall (either internally or via VPN) to obtain credentials for all apps to access company assets without requiring per-app authentication.

Per-App VPN: Isolates which apps can access company assets. Each app can open its own private VPN tunnel, so that business and personal apps can run side by side without routing all traffic through company VPN.

Managed Apps: Developers can create a policy manifest to manage app usage, which can be activated with a matching profile deployed on the device. For example, a company can create a private app whose usage policy can be managed by an iOS7 management profile.

"Open In" Management: Although awkwardly named, Open In can help prevent data leakage by restricting app access to certain types of data. For example, apps controlled by management profiles can be configured to only access content from other managed apps. Or, unmanaged apps could be configured with read-only access to content created by managed apps.

In addition, iOS7 also further hardens built-in security features. Remote wipe and lock is more robust and requires iCloud authentication for recovery. And built-in data encryption can be employed by app developers, meaning they can "switch on" device-based encryption of user data without rolling their own.

Enhanced API for Third-party MDM

In addition to more robust built-in management in iOS7, the OS also provides a richer API to third-party MDM platforms. MDM customers can gain more granular management of deployed devices, including:

Web content filters which whitelist across all apps with Web access and without relying on a proxy server.

Apple Configurator vs. MDM

The LAUSD rollout debacle illustrated a key difference between using any third-party MDM solution versus Apple’s own Configurator to lock down an iPhone or iPad.

Apple Configurator can impose hard restrictions on device usage which cannot be as easily removed by end-users compared to any MDM profile. But Apple Configurator requires an organization to physically access each device, essentially being an unrealistic solution for any deployment of scale. Plus, devices locked down using Apple Configurator can no longer be remotely managed.

On a related note, some early large-scale adopters of iOS7 have discovered an unpleasant side effect of the new OS: Supervision profiles from iOS6 are being wiped out. In these cases, upgrading to iOS7 is actually resulting in loss of device management, at least temporarily until a new profile is created.

Heterogenous MDM

There is another key difference between a large-scale school district device deployment and most enterprise environments: heterogeneity. That is, an organization like the LAUSD that can acquire and deploy a single device type such as the iPad is the exception rather than the rule in large enterprise installations.

Most organizations are mixed-device environments. In the mobile arena, this means both Android and iOS, not to mention Microsoft and even BlackBerry. This reason alone ensures a safe future for third-party MDM platforms. Regardless of Apple’s inclusion of MDM-lite features in iOS7, most organizations will continue to rely on solutions that can manage a wider range of mobile OS platforms.

Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.